Chip storage has already plagued the tech hub and a new chip security flaw has now become a growing concern among smartphone users. Zero-day vulnerabilities have given the hackers leeway to exploit systems, gain ‘administrator privileges.’ Security researchers have unearthed a flaw in the MediaTek chip that power over a third of the world’s smartphones. Also Read - WhatsApp testing new shortcut to quickly forward stickers
As per Check Point Research, the flaw was found in a MediaTek audio processing chip that is implemented in many Android phones from major vendors including Xiaomi, Oppo, Realme, and Vivo. CPR in a blog post explained how the hack could be executed via three separate vulnerabilities- CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663. Also Read - Xiaomi India could soon start a repair program similar to Apple's Self Service Repair program
How a flaw in the MediaTek chip could have helped hackers run ‘eavesdrop campaign’
CPR reverse-engineered MediaTek’s audio chip and discovered an opening that could allow a malicious app to install code. The report detailing the process cited what hackers would have been required to go through to exploit this vulnerability. On installing and launching a malicious app from the Google Play Store, it would have given hackers the opportunity to misuse the vulnerability in MediaTek SoC-powered smartphones. Upon installation, the app would have used the MediaTek API to ‘intercept audio passing through the chip and either record it locally or upload it to an attacker’s server.’ Also Read - Xiaomi to launch MIUI 13 based on Android 12 in December: Report
CPR already disclosed its findings to MediaTek and Xiaomi in October and the identified vulnerabilities have already been patched by the Taiwanese chip manufacturer. Had the flaw been left unpatched, a hacker could have exploited it in the chip to eavesdrop on users and hide malicious code.
“Device security is a critical component and priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” Tiger Hsu, Product Security Officer at MediaTek stated.
Slava Makkaveev, Security Researcher at Check Point Software in a press release cited Digital Trends that with MediaTek’s ubiquity in the world, they suspected potential threat and ’embarked research into the technology,’ that opened a chain of vulnerabilities that could be used as an attack vector to create an ‘eavesdrop campaign.’ But thankfully, the flaws were caught before they would have reached hackers to further exploit it.